fix(isFloat): reject sign-only + decimal-separator combinations#2786
Open
JSap0914 wants to merge 1 commit into
Open
fix(isFloat): reject sign-only + decimal-separator combinations#2786JSap0914 wants to merge 1 commit into
JSap0914 wants to merge 1 commit into
Conversation
isFloat('+.') and isFloat('-.') returned true because the early-return
blacklist only checked for the sign and separator individually, missing
the combined form. Same false positive occurs for the comma-decimal
locales ('+,'/'-,' with e.g. de-DE) and for the Arabic decimal
separator ('+٫'/'-٫' with ar-JO).
Extend the guard to also reject '+<sep>' and '-<sep>' for the dot and
comma separators (existing behavior for the characters in isolation is
kept) and derive the locale's separator to cover non-latin separators.
Closes validatorjs#2090
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2786 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 114 114
Lines 2587 2588 +1
Branches 656 657 +1
=========================================
+ Hits 2587 2588 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
WikiRik
reviewed
Jun 27, 2026
Comment on lines
+10
to
+12
| if (str === '' || str === '.' || str === ',' || str === '-' || str === '+' | ||
| || str === '+.' || str === '-.' || str === '+,' || str === '-,' | ||
| || str === `+${decimalSep}` || str === `-${decimalSep}`) { |
Member
There was a problem hiding this comment.
Why not a regular expression as suggested in the issue?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
isFloat('+.')andisFloat('-.')returntruebut should returnfalse. The same false positive appears with comma-decimal locales (+,/-,forde-DE) and with the Arabic decimal separator (+٫/-٫forar-JO).Closes #2090
Root cause
The early-return blacklist in
src/lib/isFloat.jsrejects each problematic token individually:But the combined form — a sign immediately followed by the decimal separator and nothing else — slips through because it is not in the list. The float regex then matches it (the digit groups are all optional) and returns
true, whileparseFloat('+.')returnsNaN, so the result is semantically wrong.Fix
Extend the early-return to also reject the two combined forms (
+<sep>and-<sep>) for the dot and comma separators, and derive the locale's actual separator (e.g.٫for Arabic locales) to cover non-ASCII decimal characters too:Verification
Six new
invalidfixtures were added (two per locale: default.,de-DEcomma,ar-JOArabic separator). All previously-valid inputs (+.123,-.5,+,123forde-DE, etc.) remain valid. No existing tests were modified.